[Samba] Samba4 AD Groups Problem

Lukas Gradl samba.org at ssn.at
Mon Jan 14 07:18:55 MST 2013 

Hi!

I created a Samba4 Demo Server to test AD functionality. Basically  
it's a Debian Wheezy machine with a manually compiled Samba4  
(smbstatus -V: Version 4.1.0pre1-GIT-051a1a9) according to  
https://wiki.samba.org/index.php/Samba4/HOWTO but adjusted the paths  
to a more debian way.

I can Manage the Server with the Windows Domain Utilities, add users,  
add groups, add Machines and so on.
I created some printers and managed to set up Point and Print Drivers  
using print$.

So I think the Server basically works as expected.

Now I'm trying to set up a share which can be read by everyone and  
written by Domain Admins only. I can see the share on my server as  
well as a file created in there on the linux command line, but I'm not  
able to enable write Permission for Domain Admins.

I created a directory on the server /space/testshare and did a "chmod  
777 /space/testshare" to be shure there's no problem on the linux file  
system. When I set "read only = no" on the share I can create a file  
there without any problem. But setting "read only = yes" and "write  
list = @"TEST\Domain Admins"" doesn't work - I get "access denied" on  
the windows host, despite I'm logged on as TEST\Administrator

Some additional information:

root at samba:~# smbstatus -V
==========================
Version 4.1.0pre1-GIT-051a1a9


root at samba:~# wbinfo -u
=======================
Administrator
Guest
krbtgt
dns-samba
testuser

root at samba:~# wbinfo -g
=======================
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy
Testgroup

root at samba:~# cat /etc/samba/smb.conf
=====================================
# Global parameters
[global]
     workgroup = TEST
     server string =
     realm = TEST.LOCAL
     netbios name = SAMBA
     server role = active directory domain controller
     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,  
winbind, ntp_signd, kcc, dnsupdate
     log level = 3

[netlogon]
     path = /var/lib/samba/sysvol/test.local/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No

[printers]
     comment = Printer
     path = /var/spool/samba/spool
     browseable = Yes
     read only = No
     printable = Yes

[print$]
     path = /var/spool/samba/driver
     read only = No

[testshare]
     Comment = Test share
     path = /space/testshare
     read only = Yes
     write list = @"TEST\Domain Admins"


Any help what to do next?

regards
Lukas

More information about the samba mailing list